I've been playing around with IPsec lately (4.9-current), and it seems to be working just fine. Connectivity is how I want it, and tcpdumps on interfaces looks good too, and nothing weird in logs. But as it feels fairly complicated to get a grasp on this, it would be nice with some feedback or fresh eyes on the setup, especially the pf-stuff in case there are some glaring obvious hole(s) or stupid stuff somewhere =

The basic setup is a pretty common scenario, a laptop on a rfc1918-net behind a crappy wireless router somewhere (with a dynamic IP) wants an IPsec tunnel to the OpenBSD box connecting remote_net and int_net.

# /etc/pf.conf @ gateway
ext_if="vr0"
int_if="fxp0"
int_net="192.168.1.0/24"
remote_net="192.168.3.0/24"
set block-policy drop
set loginterface $ext_if
set optimization aggressive
set skip on lo
match in all scrub (no-df)
match out on $ext_if from $int_net nat-to ($ext_if)
block in all
block quick inet6 all
antispoof quick for { $int_if $ext_if }
pass out
block on enc0 all
pass in on enc0 from any to ($ext_if) keep state (if-bound)
pass out on enc0 from ($ext_if) to any keep state (if-bound)
pass in on enc0 from $remote_net to $int_net keep state (if-bound)
pass out on enc0 from $int_net to $remote_net keep state (if-bound)
pass in on $ext_if inet proto udp from any to ($ext_if) port { 500 4500 } keep state (pflow)
pass in on $ext_if inet proto esp from any to ($ext_if) keep state (pflow)
pass in on $int_if keep state (pflow)
block in on ! lo0 proto tcp to port 6000:6010